Brain Dump

A place to store my random thoughts and anything else I might find useful.

Archive for the ‘gentoo’ Category

Installing gentoo with root encryption: notes

Posted by mzanfardino on October 23, 2008

Note: This is compiled from several sources (which I will site at the end) and my own experience. This example assumes the following partition table:

/dev/sda1 /boot
/dev/sda2 swap
/dev/sda3 /
  • Follow Gentoo Handbook through 4.d. FUTURE: Add notes regarding flushing drive with /dev/urandom before encrypting.
  • Be sure to emerge cryptsetup. (NOTE: this should not be necessary as gentoo 2008.0 includes luks support).
  • Load necessary modules:
    modprobe dm-crypt # required
    modprobe dm-mod # required
    modprobe serpent # optional
    modprobe blowfish # optional
    modprobe aes # optional but required for aes-cbc-essiv
  • Encrypt the swap partition and mount it. NOTE: Encytping with random passkey – does not require passkey to mount:
    cryptsetup -c aes-cbc-essiv:sha256 -d /dev/urandom create swap /dev/sda2
    mkswap /dev/mapper/swap
    swapon /dev/mapper/swap
  • Encrypt the root partition. NOTE: This example assumes a keyword/passphrase. FUTURE: Add examples for keyfile encryption:
    cryptsetup -y --cipher serpent-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda3
  • Open newly encrypted partition:
    cryptsetup openLuks /dev/sda3 root
  • Create the file system on the logical root. This example assumes ext3. FUTURE: Add notes concerning the user of alternate file system:
    mke2fs -j -m 1 -O dir_index,filetype,sparse_super /dev/mapper/root -L root
  • Create the file system for /boot. This example assumes ext2 (as you needn’t journal a boot partition). FUTURE: Add notes concerning the use of alternate file system:
    mke2fs /dev/sda1 -L boot
  • Mount the file system for use during the remainder of install:
    mount /dev/mapper/root /mnt/gentoo
  • Return to the Gentoo Handbook from step 5 to 7.d (genkernel)
  • Build the kernel with genkernel
    cd /usr/src/linux
    genkernel --luks --menuconfig all

    The key here is that you configure your kernel for ramdisk support and luks support FUTURE: add details.
  • Continue with Gentoo Handbook from 7.e till 8.a
  • Modify /etc/fstab to mount root from /dev/mapper/root. fstab will look as follows:
    /dev/sda1 /boot ext2 defaults,noatime 1 2
    /dev/mapper/swap none swap sw 0 0
    /dev/mapper/root / ext3 noatime 0 1
  • Modify /etc/conf.d/dmcrypt to mount swap during boot:
    swap=swap
    source='/dev/sda2'
  • Continue with Gentoo Handbook from 8.b till 10.b.
  • Configure GRUB to use genkernel:
    title Gentoo Linux 2.6.25-r8 (genkernel)
    root (hd0,0)
    kernel /boot/kernel-genkernel-x86-2.6.25-gentoo-r8 root=/dev/ram0 init=/linuxrc ramdisk=8192 crypt_root=/dev/sda3 vga=791
    initrd /boot/initramfs-genkernel-x86-2.6.25-gentoo-r8

    NOTE:kernel name may be different,be sure to use the correct initramfs and kernel.

Unbelievably that’s it! After days and days of trying to create my own initramfs and writing my own linuxrc files it really comes down to passing using genkernel to build the kernel and initramfs with luks support by passing genkernel –luks! (well, and the rest).

More to come later.

Citation:
http://gentoo-wiki.com/SECURITY_System_Encryption_DM-Crypt_with_LUKS#Preparing_the_disk
http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS#Using_initramfs_and_busybox
http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt
http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=1

Here is a handy one for when you have to chroot into your system because you omitted something and it doesn’t boot: http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=6

Advertisements

Posted in gentoo, linux | Tagged: , , , | 2 Comments »